SecShow, a Chinese Threat Actor, Performs Extensive DNS Probing Across the Globe


SecShow, a Chinese Threat Actor, Performs Extensive DNS Probing Across the Globe

Security researchers have provided additional information regarding a Chinese actor known as SecShow, who has been spotted performing Domain Name System (DNS) operations on an international level since at least June 2023.

The China Education and Research Network (CERNET), a project financed by the Chinese government, is the location from which the adversary operates, according to Infoblox security researchers Dr. Renée Burton and Dave Mitchell.

In a report that was published last week, they stated that the objective of these queries is to identify and quantify DNS responses at open resolvers. “The end goal of the SecShow actions is unknown, but the data that is collected is capable of being utilized for illicit purposes and solely for the good of the attacker.”

However, there is some evidence to suggest that it may have been associated with academic research that was focused on “executing measures using IP Address Spoofing Techniques on domains within” employing the exact same approach as the Closed Resolver Project.

This, however, raises more concerns than it answers, particularly in terms of the broad scope of the project, the rationale behind the data collection, the selection of a generic Gmail address to solicit feedback, and the general lack of transparency.

Open resolvers are DNS servers that are able to accept and address domain names recursively for any party on the internet. This makes them vulnerable to exploitation by malicious actors who wish to instigate distributed denial-of-service (DDoS) attacks, such as a DNS amplification attack.

The primary function of the probes is to identify open DNS resolvers and calculate DNS responses through the use of CERNET nameservers. This involves transmitting a DNS query from an origin that has not yet been identified to an open resolver, which prompts the SecShow-controlled nameserver to return an arbitrary IP address.

These nameservers have been set up to return a new random IP address each time a query is made from a different open resolver, a behavior that initiates an amplification of queries by the Palo Alto Cortex Xpanse product. This is an intriguing twist.

“Cortex Xpanse considers the domain name in the DNS query as a URL and tries to obtain content from the random IP address for that domain name,” according to the investigators. “Firewalls, like Palo Alto and Check Point, as well as additional safety devices, perform URL filtering when they get the request from Cortex Xpanse.”

This filtering phase initiates a new DNS query for the domain, causing the nameserver to return a different random IP address. This, in turn, causes Cortex Xpanse to repeat the process, essentially transforming a single SecShow query into an endless cycle of queries across networks.

It is crucial to acknowledge that certain aspects of these surveillance activities have already been disclosed by researchers at Unit 42 and within the past two months. Mid-May 2024 marks the end of the SecShow nameservers’ operational responsiveness.

Palo Alto Networks informed a famous media group that there is currently little to no known impact on any customer networks as a result of Xpanse functioning as intended, with the exception of a minor increase in DNS resolution activity to ascertain whether the domain in question is malevolent.


“Xpanse has the ability to exclude specific domains, and it ceases to scan them as new C2s are identified.” We will persist in the meticulous monitoring and addition of pertinent domains to the block list as identified by researchers.

SecShow is the second threat actor associated with China to conduct extensive DNS reconnaissance activities on the internet, following Muddling Meerkat.

“Muddling Meerkat queries are designed to mix into global DNS traffic and [have] remained unnoticed for over four years, while Secshow queries are transparent encodings of IP addresses and measurement information,” according to the researchers.

Rebirth Botnet Provides DDoS Services

The development has occurred in response to the discovery of a financially motivated threat actor who is advertising a new botnet service called Rebirth to assist in the facilitation of DDoS attacks.

In a recent analysis, the Sysdig Threat Research Team stated that the DDoS-as-a-Service (DaaS) botnet is “based on the Mirai malware family” and that its administrators advertise its services through an online store (rebirthltd.mysellix[.]io) and Telegram.

The cybersecurity firm stated that Rebirth (also known as Vulcan) is predominantly focused on the video gaming community. It rents out the botnet to other actors at varying price points in order to target game servers for financial gain. The botnet’s utilization in the open was initially documented in 2019.

The most affordable plan, entitled “Rebirth Basic,” is priced at $15. The Premium, Advanced, and Diamond tiers are priced at $47, $55, and $73, respectively. Additionally, a Rebirth API ACCESS plan is available for purchase at a cost of $53.

The Rebirth malware is capable of launching DDoS attacks over TCP and UDP protocols, including TCP ACK flood, TCP SYN flood, and UDP flood.

This is not the first instance in which DDoS botnets have targeted game servers. Microsoft disclosed the specifics of an additional botnet, MCCrash, in December 2022. This botnet is intended to attack private Minecraft servers.

Then, in May 2023, Akamai disclosed a DDoS-for-hire botnet called Dark Frost that has been observed to initiate DDoS attacks on gaming businesses, game server hosting providers, online streamers, and even other gaming community members.

“With a botnet like Rebirth, a person is capable of DDoS the game server or other players in a live game, either triggering games to malfunction and slow down or other players’ connections to lag or crash,” according to Sysdig.

“This may be a monetary incentive for viewers of streaming platforms like Twitch, whose business model depends on a streaming player gaining followers; this basically offers a form of income through the monetization of a broken game.”

The California-based company posited that potential consumers of Rebirth might also be employing it to conduct DDoS trolling (also known as stressor trolling), which involves launching attacks against gaming servers to disrupt the experience of legitimate players.

The malware is distributed through attack chains that exploit known security vulnerabilities (e.g., CVE-2023-25717) to execute a bash script that downloads and executes the DDoS botnet malware based on the processor architecture.

The Telegram channel associated with Rebirth has been deleted in order to eliminate all previous posts. A message was posted on May 30, 2024, stating, “We will be back soon.” Nearly three hours later, they promoted a bulletproof hosting service known as “bulletproof-hosting[.]xyz.”

one year cyber security diploma course

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space.  Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM.  Naager entered the field of content in an unusual way.  He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts.  He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field.  In the bottom line, he frequently writes for Craw Security


Describing Apple Lockdown Mode: What is it, and How Does it Prevent Spyware Attacks?

Windows Servers are Vulnerable to Remote Code Execution due to a Recent PHP Vulnerability

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?